Aikido Security recently uncovered a critical vulnerability in the XRP Ledger’s official JavaScript SDK, raising concerns about compromised versions of the XRPL Node Package Manager (NPM) package that were published to the registry starting April 21.
The affected versions, specifically v4.2.1 through v4.2.4 and v2.14.2, were found to contain a backdoor that could potentially exfiltrate private keys, posing a significant threat to crypto wallets relying on the software.
NPM packages serve as reusable modules for JavaScript and Node.js projects, simplifying the installation, updates, and removal processes. Aikido Security’s automated threat monitoring platform detected the anomaly when NPM user “mukulljangid” released five new versions of the XRPL package that did not align with any tagged releases on the official GitHub repository, triggering suspicions of a supply chain compromise.
Further analysis revealed that the compromised packages included a function called checkValidityOfSeed, which made external calls to the unverified domain 0x9c[.]xyz. This function, triggered during the wallet class instantiation, surreptitiously transmitted private keys during wallet creation.
Initially, the malicious code was embedded in the built JavaScript files of early versions (v4.2.1 and v4.2.2). Subsequent iterations (v4.2.3 and v4.2.4) introduced the backdoor into the TypeScript source files, which were then compiled into production code. The attacker’s tactics evolved from manual JavaScript manipulation to more sophisticated integration into the SDK’s build process.
This targeted attack against the crypto development infrastructure impacted hundreds of thousands of applications and websites utilizing the compromised XRPL package. The compromised versions also removed development tools and scripts from the package.json file, indicating deliberate tampering.
In response to the security vulnerability, the XRP Ledger Foundation promptly acknowledged the issue and initiated efforts to address the issue. The Foundation removed the affected versions from the NPM registry following the disclosure. However, the extent to which users had integrated the compromised versions before the issue was identified remains uncertain.
Mark Ibanez, CTO of XRP Ledger-based Gen3 Games, highlighted the importance of best practices to mitigate risks, such as committing the “lockfile” to version control, utilizing Performant NPM (PNPM) when feasible, and avoiding unintended version upgrades by refraining from using the caret (^) symbol in package.json.
The XRP Ledger Foundation’s commitment to resolving the security issue underscores the ongoing efforts to safeguard the integrity of the XRPL ecosystem and protect users from potential threats.